Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 389427 (CVE-2011-4107)

Summary: <dev-db/phpmyadmin-3.4.9 XML Entity References Information Disclosure Vulnerability (CVE-2011-{4107,4634})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: a3li, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/46447/
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 395715    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2011-11-03 18:08:44 UTC 
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an error within libraries/import/xml.php when processing XML data, which can be exploited to e.g. disclose contents of certain local files and perform certain actions on the local network by sending specially crafted XML data including external entity references.

The vulnerability is confirmed in version 3.4.7. Other versions may also be affected.

Solution:
Not patched atm. (Restrict access to trusted users only)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-11-18 06:15:56 UTC 
CVE-2011-4107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107):
  The simplexml_load_string function in the XML import plug-in
  (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x
  before 3.3.10.5 allows remote authenticated users to read arbitrary files
  via XML data containing external entity references, aka an XML external
  entity (XXE) injection attack.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2011-12-14 21:26:38 UTC 
Also CVE-2011-4634 which is described in PMASA-2011-18 (http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php). Issue was corrected in 3.4.8, released 2011-12-01.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-23 21:33:07 UTC 
Bump and fixing together with bug 395715
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-01-01 17:53:13 UTC 
Stabilization completed in bug 395715. GLSA Vote: no.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-01-02 19:01:50 UTC 
CVE-2011-4634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x
  before 3.4.8 allow remote attackers to inject arbitrary web script or HTML
  via (1) a crafted database name, related to the Database Synchronize panel;
  (2) a crafted database name, related to the Database rename panel; (3) a
  crafted SQL query, related to the table overview panel; (4) a crafted SQL
  query, related to the view creation dialog; (5) a crafted column type,
  related to the table search dialog; or (6) a crafted column type, related to
  the create index dialog.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-01-04 23:42:24 UTC 
This issue was resolved and addressed in
 GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).